Recently, there have been several high-profile cases of financial institutions having to handle a surge of Data Subject Access Requests (DSAR). These cases have highlighted the importance of being prepared. Since DSARs are not going away any time soon, organisations need to take the time now to outline efficient and cost-effective processes for responding to DSARs, which can be replicated time after time.
Both the Article 15 and Recital 63 of the General Data Protection Regulation (GDPR) and the UK data Protection Act of 2018 provide the right for individuals to request a copy of their personal data being held by an organisation. It is the responsibility of an organisation and its employees to welcome and respond to these requests. While responding to DSARs can be burdensome, since it is a legislated right, your corporate culture should treat all these requests with the spirit of openness that the legislation expects regardless of the cost This spirit of openness may not be currently engrained in your culture, so it is important to recognise what shift may need to occur.
So, where do you start? To effectively manage DSARs, which can vary dramatically in both scale and complexity, your organisation needs to be prepared with a combination of processes, technology, and cultural factors. For many organisations, it is both more efficient and cost effective to outsource this intensive task.
Your Guide to DSARs
So long as your business is dealing with consumer data, no matter the industry, this Epiq guide will help you navigate the DSAR response process:
- Change Your Culture to Embrace DSARs as a Legislated Right
It’s essential to instil a positive culture within your organisation that understands and respects this right. Regardless of any personal opinions on the affiliations of the requester, or your staff, DSARs must be addressed in compliance with the law. Your teams should be aware that any notes they write, or data they collect, could be included in a DSAR output, which may negatively impact your organisation. Keep all notes and data legal and reasonable to avoid opening a Pandora’s box of reputational risk. Partnering with HR, internal comms, and operations for support in developing a change management process can help to address this cultural need. DSARs should not just be the responsibility of legal.
- Take Control of Your Data Landscape
Ensure your organisation is both identifying and classifying documents containing sensitive information and Personally Identifiable Information (PII). Create data maps that clearly depict where PII and sensitive data are stored, processed, and transmitted within your organisation. If you do not know where your data lives, certifying you have complied with a DSAR will be a great challenge. Epiq tip: partner with an outsourced provider to work with customer service, operations, and IT to map your data.
- Clarify Requests and Requests Extensions
When appropriate, seek clarification from the requester if their DSAR is complex or vague. If processing a large volume of data, consider asking for an extension so that you can provide a comprehensive response. Clarity and communication are key.
- Define Internal Workflows and Track Timelines
Establish internal workflows that cover every step of the DSAR process, from request initiation and identity verification through delivery of the final response. Make certain that the results of each process, any communications with the requester, and the overall timelines are all tracked meticulously to guarantee a compliant response.
- Implement a Document Review Platform either With an Outsource Partner or on Your Own
Centralise the process of both the review and the redactions using a document review platform. This technology allows you to streamline the handling of documents while providing you with the scale and predictability to construct an efficient process. If your teams are already operating at capacity and lack the skills required, you should seek external help from a provider who has both the resources and expertise to deploy and configure such systems.
- Utilise Advanced Analytics
Leveraging the advanced analytical capabilities included in these review platforms, like near-duplicate analysis and email threading, can significantly narrow down the document pool to those within the scope of the request. This reduces the time and effort required for review, and better utilises your valuable talent resources.
- Automate Redacted Workflows
DSARs can be an overwhelming process. Reducing the load on your people will help your team avoid feeling drained or demotivated. By automating the redaction of personal information, you both increase accuracy and reduce manual effort. Having the right technology and processes in place is crucial for this step. Work with your internal IT team or external partners to help articulate your objectives for this step, and to build out potential solutions.
- Build a Scalable Review Team
Requests can vary dramatically in size. Making sure you have access to a scalable team of reviewers, whether in-house or outsourced, can help you prepare for varying workloads.
Conclusion
Data Subject Access Requests are now an integral part of business operations, especially those with employees and/or customers based in the UK and Europe. Preparing your team, embracing a culture of compliance, and implementing the right technology and workflows are crucial steps in managing DSARs effectively. Using analytics and automation can drastically shrink the costs incurred whilst also reducing the demoralising workloads that distract your teams from their critical everyday business operations. DSARs are a right, but with the right approach, they do not have to cost your business any loss of efficiency or reputation damage.
